Introduction

JASPIC may be configured dynamically by an application or statically via
the $CATALINA_BASE/conf/jaspic-providers.xml configuration file.
If present, a JASPIC configuration will over-ride any
<login-config> present in web.xml.

Static configuration

AuthConfigProvider

If the 3rd party implementation includes an
AuthConfigProvider then a web application can be configured to
use it by nesting the following inside the
<jaspic-providers> element in
$CATALINA_BASE/conf/jaspic-providers.xml.

The className attribute must be the fully qualified class
name of the AuthConfigProvider. The implementation may be
packaged with the web application or in Tomcat's
$CATALINA_BASE/lib directory.

The layer attribute must be HttpServlet.

The appContext attribute must be exactly the concatenation
of:

The engine name

The forward slash character

The host name

A single space

The context path

If the AuthConfigProvider supports configuration via
properties these may be specified via <property> elements
nesting inside the <provide> element.

ServerAuthModule

If the 3rd party implementation only provides an
ServerAuthModule then it will be necessary to provide a number
of supporting classes. These may be a custom implementation or,
alternatively, Tomcat provides a simple wrapper implementation for
ServerAuthModules.

Tomcat's wrapper for ServerAuthModule can be configured
by nesting the following inside the
<jaspic-providers> element in
$CATALINA_BASE/conf/jaspic-providers.xml.

The configuration is similar to the AuthConfigProvider in
the previous section but with some key differences.

The className attribute must be
org.apache.catalina.authenticator.jaspic.SimpleAuthConfigProvider.

The ServerAuthModule(s) are specified via properties. The
property name must be
org.apache.catalina.authenticator.jaspic.ServerAuthModule.n
where n is the index of the module. The index must start at 1
an increment in steps of 1 until all modules are defined. The value of the
property must be the fully qualified class name of the module.

Dynamic configuration

JASPIC modules and configuration can be packaged within a WAR file with the
web application. The web application can then register the required JASPIC
configuration when it starts using the standard JASPIC APIs.

If parallel deployment is being used then dynamic configuration should not
be used. The JASPIC API assumes that a context path is unique for any given
host which is not the case when using parallel deployment. When using parallel
deployment, static JASPIC configuration should be used. This will require that
all versions of the application use the same JASPIC configuration.

3rd party modules

This is not an exhaustive list. The Tomcat community welcomes contributions
that add to this section.

Philip Green II's module for Google OAuth 2

The source code for this module along with the
documentation
which includes details of the necessary Google API configuration is
available on GitHub.

A sample configuration for using this module with Tomcat would look like
this: